Active Directory Security Event IDs Used by PaloAlto User-ID Agent 

Environment -

• Windows based User-ID Agent.
• All version.

2000 - 2003:

SUCCESS_NET_LOGON = 540
AUTH_TICKET_GRANTED = 672
SERVICE_TICKET_GRANTED = 673
TICKET_GRANTED_RENEW = 674 


2008 and above:

LOGON_SUCCESS_W2008 = 4624
AUTH_TICKET_GRANTED_W2008 = 4768
SERVICE_TICKET_GRANTED = 4769
TICKET_GRANTED_RENEW_W2008 = 4770 

 What would you do ?

At time, we have get into unprecedented situations that you need to compare two repos (I know, thats not how repos should be maintained, but it is what it is)

So, in that case here is how you will dodge through

git remote add -f b path/to/repo_b.git
git remote update
git diff master remotes/b/master
git remote rm b

 What would you do  ?

 What would you do when there is no telnet client enabled but you want to test a port, most of the linux clients are installed with curl, in that case we can use curl to achieve the same.

curl -v telnet://x.x.x.x:22

* About to connect() to x.x.x.x port 22 (#0)

* Trying x.x.x.x...

* Connected to x.x.x.x (x.x.x.x) port 22 (#0)

SSH-y.0-OpenSSH_y.y

How to connect a PaloAlto VM in GN3 running in Linux

Assumption -  PaloAlto Management IP (default) : 192.168.1.1/24

 

sudo ip tuntap add name tap0 mode tap

sudo ip addr add 192.168.1.100/24 dev tap0

sudo ip link set dev tap0 up

 

Verify the adpater configs using "ip address" command in terminal. Once confirmed - 

1. Connect Add tap0 adpater to gns3 cloud

2. Connect Tap0 adapter in cloud to PA VM using GN3 Links

At this point in time, you will be able to connect Palo Alto GUI from Webbrowser in Linux machine

Visual Studio Code : How to se the new line character

Many of the systems want to see Unix type of files and it will throw errors with windows style end of line sequence

  

How to remediate and test TMUI RCE vulnerability CVE-2020-5902 ?

How to remediate and test TMUI RCE vulnerability

CVE-2020-5902 ?

F5 Codes affected :

11.x to 15.x except 15.1.0.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 and  11.6.5.2

How to test you are affected with this vulnerability?

https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/hosts

https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license

https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.conf

https:///tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin

How to fix this ?

Ofcoz its a code upgrade to the fixed version, but its not easy to plan this over night...

What would be the workaround ?

It’s a 3-step approach (as of now), priority in order....

1.       Secure your Self IP with Port lockdown enabled, set to none (preferably) or custom as per requirements (don’t allow configuration utility ports, usually 443 or 8443 (for BIG-IP 13.x Single NIC BIG-IP Virtual Edition (VE)). This will help to avoid any attacks by exploiting this vulnerability from INTERNET.

2.       Allow management access only from a secure network.

3.       Enable location match settings (This is not covering all, not every effective completely. However, better than nothing), regex to match is  was  ".*\.\.;.*" and later corrrect to ";"

However, this can be still exploited as per the latest research. 

a.       edit /sys httpd all-properties

b.       replace the line “include none” by following and save the file

c.       save /sys config

d.       restart sys service httpd

How to check the attempts of exploitation ?

Versions till  to 14.1.0:

In versions earlier than 14.1.0, with the default configuration, you can check logs in /var/log/audit and /var/log/ltm as follows. 

grep -i '%tmui' /var/log/audit
grep -i '%tmui' /var/log/ltm

Log entries similar to the following are an indication of possible compromise:
audit.1:Jul  7 18:43:12 [REDACTED] notice tmsh[27903]: 04426005:5: AUDIT - Cannot load user credentials for user "%tmui" Current session has been terminated.
ltm.1:Jul  7 18:43:12 [REDACTED] notice tmsh[27903]: 04426006:5: Cannot load user credentials for user "%tmui" Current session has been terminated.

Versions 14.1.0 and up

In version 14.1.0 and up, you can examine the output of journalctl for evidence of attempts to exploit this vulnerability by issuing the command bash

journalctl /bin/logger | grep -F ';'

Output may appear similar to the following example on a device
Jul 07 22:23:07 hostname logger[29929]: [ssl_acc] nnn.nnn.nnn.nnn - - [07/Jul/2020:22:23:07 +0000] "/[REDACTED]/..;/[REDACTED]" 200 252

If any log entries are visible similar to above, it's an indication of exploiting the BIG-IP system.

Last but not the least, its always a good idea to chain of security (multi vendor), so that you will not get hit by a vulnerability directly, eg: FW ->IPS->BIGIP in this case.... Sigh!

cURL : How do you highjack DNS when there is no permission

Recently, I have landed on an issue, and I need to test a https domain by "hijacking" the DNS (I am getting a different IP being in a different part of the world)

So I decided to use my favorite tool curl with "-H" or --header option, No Luck. And I understand we need to manipulate the SNI. Host entry is the best way, but what if you are not a privileged user... sigh

But, here is the Panacea to address this convoluted issue  - "Lickety-Split"

curl --resolve domainname:port:ipaddress https://url/path


curl --resolve xyx.test.com:443:1.1.1.1 https://xyx.test.com/path